[英]How to create a public Multi-Region Access Point policy?
I am experimenting with multi-region access points and their over-complicated policy syntax, and I can't get the simplest things to work.我正在试验多区域接入点及其过于复杂的策略语法,但我无法让最简单的事情发挥作用。
I have 3 buckets spawned across the globa and created a single access point.我在全球范围内产生了 3 个存储桶并创建了一个访问点。 All my items are private as my multi-region access point policy is not configured yet.
我的所有项目都是私有的,因为我的多区域接入点策略尚未配置。
So far I have this:到目前为止,我有这个:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "s3:GetObject",
"Resource": [
"arn:aws:s3::<my account id>:accesspoint/xyz.mrap"
],
"Condition": {
"StringEquals": {
"s3:DataAccessPointAccount": "<my account id>"
}
}
}
]
}
The error indicated states:指示的错误指出:
Action does not apply to any resource(s) in statement
行动不适用于声明中的任何资源
Their example uses "Action": "*",
but I want to limit this.他们的示例使用
"Action": "*",
但我想限制这一点。
Can anyone help out what is wrong with my policy?谁能帮助我的政策出了什么问题?
s3:GetObject
applies to objects only . s3:GetObject
仅适用于对象。 Your arn:aws:s3::<my account id>:accesspoint/xyz.mrap
represents access point, not its objects.您的
arn:aws:s3::<my account id>:accesspoint/xyz.mrap
代表访问点,而不是其对象。 Thus it should be:因此它应该是:
"Resource": [
"arn:aws:s3::<my account id>:accesspoint/xyz.mrap/*"
],
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.